UK teen is world's youngest certified ethical hacker (maybe)
Born to tinker
For as long as he can remember, Shane Kelly has taken a keen interest in taking things apart. When he was 11 and his family took delivery of its first PC, he promptly pulled off the cover and disassembled it, much to the chagrin of his parents.
"They weren't too impressed at the time," Kelly, who is now 16, says. "But I put it back together. It worked."
A few months ago, the Solihull teenager successfully acquired an accreditation in Certified Ethical Hacking, making him possibly the youngest person to do so. While computers and networking have always captured his imagination, he says his interest in security prompted him to go for the hacking certification.
"That certainly stood out because it was the one qualification that focused not on the defensive side but it actually took you into the mind of the hacker," he says. "It was the mindset that gave me the motivation into taking the course."
Once upon a time, network security and penetration testing was a specialized field that was mainly inhabited by expensive outside consultants. Now that the net has become a core part of transacting business, more and more organizations are bringing these workers in-house.
"It's really come into its own as a legitimate area," says Terry Kurzynski, CEO of professional services firm Halock Security Labs, which also provides training for people seeking the credential. "We've been in security for 11 years and it really hasn't been until the last four or five years that ethical hacking has become a service."
It took Kelly about 10 months to complete the course work and pass the four-hour test required to get the accreditation. That included a five-day boot camp.
He recently landed a spot as a temporary worker at the Birmingham City University, where he expects to do IT-related work. He's considering acquiring additional accreditations for Cisco and Microsoft technologies.
But eventually, he says, he plans to do security work.
"Due to my age, it's probably not going to happen in the next five years," he says. "In the industry, you need to have a certain amount of experience. I hope to see myself doing security work of some some sort." ®
This story was updated to correct the name of the university where Kelly has landed a temp job.
Certifications and experience
Neither one means anything if the person possessing it is dead from the neck up. I've run into totally incompetent holders of first class honours degrees in CS, completely ineffective holders of PhDs, guys with 20 years or more experience of C programming who couldn't write hello world without having to edit it 3 times to fix syntax errors before it would compile (and then it did the wrong thing when they ran it). But they are extremely useful filters - why bother to interview someone who has neither certification nor experience (unless you have word of mouth reccommendation of them from someone you trust)? In fact, unless you are recruiting for a very junior position, why interview someone who doesn't have both certification and experience?
Of course the average recruitment consultant and the average HR type can't even read a job spec and a CV and see if there's any sort of match, and will even ask for quite insane experience (like the people asking for 10 years Algol 68 programming experience in 1971, which presumably required the candidate to have access to a working time machine) so they will fail to make correct use of certification and experience requirements as a candidate filter, and then it isn't at all obvious to either the candidate or to the hiring manager or team leader, once the recruitment "professionals" have got involved, that either certification or experience means anything at all. It's different with a real professional recruitment type, but those are few and far between and hard to find.
Unlike these typical HR types, I know what I'm looking for and I have a pretty good idea how to recognise it. And I can tell you now that a guy who picks up the ethical hacker certification at 16 will probably, by the time he's 21, have what I'm looking for. His ethical hacker certificate, in itself, is indeed irrelevant in terms of its practical content - the stuff it covers is not the stuff that my team needs, and most of the practical side of it will be out of date anyway in 5 years time (the theoretical side will continue to be relevant pretty well for ever, but most comments above seem to regard theory as pointelss; a remarkable piece of stupidity, as theory is often widely applicable and learning a new programming language or operating system is child's play compared to acquiring a good grounding in the theoretical underpinnings of computing and IT). The attitude he has demonstrated by getting it at the age of 16 *is* part (a very large part) of what I need. I imagine that other serious professionals (including a minority of those who commented above) will feel the same way.
Of course what nearly everyone fails to see is that experience and certification doesn't have to be directly and tightly relevant. Far too many people will say something like "ethical hacking isn't relevant to programming a web service, so that qualification is no qualification for the job I want filled". Well, those guys can safely leave the CV filtering to the HR types, who won't screw up filtering on the CV content any more than they would themsleves.
Hey Anonymous Coward,
Due to incorrect information supplied to The Register, we got the name of the university wrong in an earlier version of the story. The article has been updated. Thanks for pointing out the mistake.
As a postgraduate at the University of Birmingham I would be interested to speak to Shane. However, as far as I can tell Shane is not employed by the University. This seems like bad journalism to me.
Maybe he works for
* Birmingham City University (formerly University of Central England); or maybe
* Aston University.
Would TheRegister like to offer a response?
Shane, if you are reading this then get in touch, google "Ben Smyth"